21 Aug
writing a Browser fuzzer !!!
Hello all
in this post , i wanna talk about web browser Fuzzing and auditing.
web browsers , such as FireFox , Opera , Internet Explorer and etc .. , are very convertible with new web technologies.
For example :
when html5 comes , Firefox added html5 features to itself too. and a clever Attacker could recognizing this change and we will be able to find Security holes .
for more information please read :
w3.org publish paper with this title: HTML 5 differences from HTML 4
http://www.w3.org/TR/2009/WD-html5-diff-20090212/
and take HTML5 Overview :
http://dev.w3.org/html5/spec/Overview.html
please pay attention to differences between FF3 & FF3.5 :
These changes include support for the <video> and <audio> tags as defined in the HTML 5 specification, with a goal to offer video playback without being encumbered by patent issues associated with many video technologies.
Cross-site XMLHttpRequests (XHR), which can allow for more powerful web applications and an easier way to implement mashups, are also implemented in 3.5.
A new global JSON object contains native functions to efficiently and safely serialize and deserialize JSON objects, as specified by the ECMAScript 3.1 draft.
Full CSS 3 selector support has been added. Firefox 3.5 uses the Gecko 1.9.1 engine, which includes a few features that were not included in the 3.0 release. Multi-touch support was also added to the release, including gesture support like pinching for zooming and swiping for back and forward.
and then milw0rm.com publish new exploit in “Firefox font tag !”
http://www.milw0rm.com/exploits/9137
we are not bloodsucker , we try to act like a real hacker , Real hacker (Pen-tester i mean) think about how to find this type of bug .
since we know about all of new features in new web browsers such as of FF and we can test features as a security researcher as well.
Browser Vulnerability Assessment has tree step :
1 – Find HTML or XML or javascript <tag> browser can support , for example :
http://msdn.microsoft.com/en-us/library/ms533050%28VS.85%29.aspx [IE]
2- find Properties , Methods , Collections , Events ,Constants , Prototypes , HTML Elements for each <tag> .
3- misuse property of <tag> or fuzzed tag for buffer-overflow and other memory corruption vulnerabilities (in this case)
for example :
we want find memory corruption vulnerability using , unbound check in <font> tag, in Internet explorer 8 !:
<font color=”#727272″>test</font>
take a look at “MSDN” :
http://msdn.microsoft.com/en-us/library/ms535248%28VS.85%29.aspx
second : find “Attribute” and “property” of <font> tag , such as :
‘color’, ‘face’, ‘size’, ‘class’, ‘id’, ‘style’, ‘title’, ‘dir’, ‘lang’, ‘accesskey’, ‘tabindex’
third : build random character for “overflows ” , “FormatString” , and other memory corruptions …
for example to be more clear i wrote a really basic fuzzer in python :
(for sure this is not a commercial fuzzer)
# Abysssec Inc public material # Simple Browser Fuzzer # www.Abysssec.com #garbage char overflows = ['A' * 10, 'A' * 20, 'A' * 100, 'A' * 200] fmtstring = ['%n%n%n%n%n', '%p%p%p%p%p', '%s%s%s%s%s', '%d%d%d%d%d', '%x%x%x%x%x'] numbers = ['0', '-0', '1', '-1', '32767', '-32768', '2147483647', '-2147483647', '2147483648', '-2147483648'] # FONT property fontpropery = ['color', 'face', 'size', 'class', 'id', 'style', 'title', 'dir', 'lang', 'accesskey', 'tabindex'] #basic Automated Fuzzer : i = 0 for x in fontpropery: for y in overflows: tag = "<span>TEST</span>" i = i + 1 file = open( str(i) + ".html","w") file.writelines('') file.writelines(tag) file.close() for y in fmtstring: tag = "<span>TEST</span>" i = i + 1 file = open( str(i) + ".html","w") file.writelines('') file.writelines(tag) file.close() for y in numbers: tag = "<span>TEST</span>" i = i + 1 file = open( str(i) + ".html","w") file.writelines('') file.writelines(tag) file.close()
for start fuzzing , add refresh page with next page . [for start fuzz click 1.html]
another way :
“Jeremy Brown” developed this a fuzzer for general browser fuzzing” :
- Written in PERL
- CSS/DOM/HTML/JS fuzzing comprehensive
- Specialized functions for fuzz page generation & writing
- Decent file structure easily supporting add/del/modification
- 3rd generation [unlimited style, web] fuzzing oracle implemented
http://www.krakowlabs.com/dev/fuz/bf2/bf2.pl.txt
this fuzzer is good but it’s really simple too and can’t find new vulnerabilities without modifying but you can extend it for new method of browser <tag > fuzz .
more info :
http://www.krakowlabs.com/dev/fuz/bf2/bf2_doc.txt
Browser Auditing :
browser source code auditing is actually white-box testing and only is useful when you have an open source browser like Firefox and …. .
source code auditing is really practical , but need higher then knowledge in programming (always C/C++)
for example , in firefox :
you can download all versions source code from here :
ftp://ftp.mozilla.org/pub/mozilla.org/firefox/releases
more source code of FF written by C++ , my interested C++ source code Auditor is : CPPcheck
http://sourceforge.net/apps/mediawiki/cppcheck
Important point that we understand from this Post :
why we can’t found bugs from this ways ?
i try to answer this question in future post .
————————————————————-
and this write-up is for tell you we are “not dead”
wait for out new advisories + exploits soon as soon possible
god speed you
Daphne
———–
unfortunately , we had mistake in our simple fuzzer , now edit & repaired .
thanks .
Daphne /
and here you can see Spared Heap
